Environment
Novell Access Manager 3.1.2.328
PaswordFetchClass
PaswordFetchClass
Situation
Purpose
Configure the PasswordFetchClass to retrieve users Universal Passwords from an eDirectory User Store
Symptoms
Method configured to use PasswordFetchClass fails to retrieve the password.
If the option "Ignore password retrieval failure"is not enabled in the class configuration, the protected resource cannot be reached and the message:
"Error: Error while retrieving the password"
is shown to the end user.
If the Application log level is set to Verbose or Debug, in the catalina.out of the Identity Server the following error can be seen:
Warning: Invalid resource key: Password Fetch Class: Principal username is : . No prefix!
<amLogEntry> 2010-10-28T08:57:57Z DEBUG NIDS Application: Password Fetch Class: Principal username is : </amLogEntry>
<amLogEntry> 2010-10-28T08:57:57Z WARNING NIDS Application: NIDPLOGGING.200104063 : com.novell.security.nmas.mgmt.NMASPwdException</amLogEntry>
<amLogEntry> 2010-10-28T08:57:57Z VERBOSE NIDS Application: Authentication method PWFetchTestMethod failed. </amLogEntry>
where "PWFetchTestMethod" is the name you chosen for the defined method.
Configure the PasswordFetchClass to retrieve users Universal Passwords from an eDirectory User Store
Symptoms
Method configured to use PasswordFetchClass fails to retrieve the password.
If the option "Ignore password retrieval failure"is not enabled in the class configuration, the protected resource cannot be reached and the message:
"Error: Error while retrieving the password"
is shown to the end user.
If the Application log level is set to Verbose or Debug, in the catalina.out of the Identity Server the following error can be seen:
Warning: Invalid resource key: Password Fetch Class: Principal username is : . No prefix!
<amLogEntry> 2010-10-28T08:57:57Z DEBUG NIDS Application: Password Fetch Class: Principal username is : </amLogEntry>
<amLogEntry> 2010-10-28T08:57:57Z WARNING NIDS Application: NIDPLOGGING.200104063 : com.novell.security.nmas.mgmt.NMASPwdException</amLogEntry>
<amLogEntry> 2010-10-28T08:57:57Z VERBOSE NIDS Application: Authentication method PWFetchTestMethod failed. </amLogEntry>
where "PWFetchTestMethod" is the name you chosen for the defined method.
Resolution
In order to allow PasswordFetchClass to successfully retrieve the
password, the Universal Password policy defined in the user store,
and associated to the user authenticating, MUST be configured to
allow the retrieval of the passwords from the user configured in
the Identity Server for the connection with the User Store.
If you configured the Identity Server to use Admin to connect to the User Store, then you can enable the option "Allow Admin to retrieve passwords" as shown below:
In case you created and configured a specific user for the Identity Server connection with the User Store, then you can select "Allow the following to retrieve passwords" and specify your defined user.
If you configured the Identity Server to use Admin to connect to the User Store, then you can enable the option "Allow Admin to retrieve passwords" as shown below:
In case you created and configured a specific user for the Identity Server connection with the User Store, then you can select "Allow the following to retrieve passwords" and specify your defined user.
Additional Information
Other common issues that may occur while retrieving passwords using
PasswordFetchClass are the following:
"LDAP connection failure"
while accessing the protected resource and you will notice the following error in the catalina.out of the Identity Server:
javax.naming.CommunicationException: simple bind failed: xxx.xxx.xxx.xxx:389 [Root exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?]
When the Simple Password retrieval is configured but the Simple Password itself is not set for the user authenticating, the following error can be seen in the catalina.out of the Identity Server:
<amLogEntry> 2010-10-28T09:41:17Z WARNING NIDS Application: NIDPLOGGING.200104064 </amLogEntry>
- Identity Server is configured to connect to the User Store replicas in LDAP clear text on port 389;
- PasswordFetchClass is configured to retrieve Simple Password, but the Simple Password for the user is not set.
"LDAP connection failure"
while accessing the protected resource and you will notice the following error in the catalina.out of the Identity Server:
javax.naming.CommunicationException: simple bind failed: xxx.xxx.xxx.xxx:389 [Root exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?]
When the Simple Password retrieval is configured but the Simple Password itself is not set for the user authenticating, the following error can be seen in the catalina.out of the Identity Server:
<amLogEntry> 2010-10-28T09:41:17Z WARNING NIDS Application: NIDPLOGGING.200104064 </amLogEntry>